Beware calls from unknown numbers - this top messaging app has placed millions of iOS and Android users at risk

Researchers have identified a critical vulnerability in popular privacy-centric messaging app Signal, affecting millions of iOS and Android users.

Discovered by security firm Tenable, the bug could allow hackers to gain access to users' coarse location data and map out patterns of movement - such as time-periods during which a user is likely to be at home, work, or their favorite local haunt.

To execute an attack, the hacker need only use Signal to call another user, whose location could be compromised whether or not the call is answered.

The bug was introduced with Signal v4.59.0 on Android, while iOS users of any version since v3.8.0.34 could be at risk.

Signal vulnerability

The Signal messaging app features end-to-end encryption for both calls and text messages, attracting millions of privacy-conscious users every day across Android and iOS. Even infamous whistleblower and champion of data privacy Edward Snowden claims to “use Signal every day.”

However, according to an advisory published by Tenable, the app is not as watertight from a privacy perspective as its users might expect.

The newly discovered flaw can be used to leak information about a user's DNS, which can in turn reveal coarse location data and allow the hacker to identify the victim's location within a 400 mile radius.

While this might appear inconsequential to most, using coarse location data in conjunction with DNS server pings from different networks (domestic Wi-Fi, public hotspots, 4G connections etc.) could be used by the hacker to make more precise location assumptions.

Signal was quick to issue a patch for the vulnerability via GitHub, which Tenable commends in its advisory. However, the security firm believes the patch requires technical expertise beyond the abilities of most users, meaning hackers could abuse the flaw freely until a patch is made available on the Apple App Store and Google Play Store.

In the interim, Tenable recommends Signal users install a VPN service that offers a DNS tunnel, which can hinder an attacker's ability to exploit the flaw.

Signal did not immediately respond to our request for comment.

How It works

Search Crack for

Latest IT News

Jun 2
Some people are reporting that the Windows 10 May 2020 Update is causing Blue Screen of Death errors on PCs with older drivers.
Jun 2
Zoom is set to strengthen encryption for its paid and enterprise customers.
Jun 2
Linux 5.7 has arrived and the latest update to the Linux kernel brings a number of new changes and features.
Jun 1
Zoom is working on a plan to strengthen encryption for its paid and enterprise customers.
Jun 1
Beacon is part of the trillion-dollar freight forwarding industry in the UK.
Jun 1
One of the most popular desktop trading platforms is now available on the web.
May 30
ExpressVPN's latest survey highlights consumer concerns that contact tracing apps violate their privacy and could lead to mass surveillance.

Latest cracks